Rename /debug endpoints to /query and add auth (#502)

## Which problem is this PR solving? - Adds a local query token to allow the changes in #500 to be protected by a locally-defined token in a header. ## Short description of the changes - Before #500, there was a single /debug/trace endpoint, but there is also an optional /debug endpoint intended for use with a debugger and profiler. So I renamed /debug to /query for the trace and config. - I added to these new /query endpoints a local configuration value `QueryAuthToken` that can be specified in the config file or in the environment. If specified, the `X-Honeycomb-Refinery-Query` header must be specified on a query request. - If the QueryAuthToken is not specified in the configuration, the /query endpoints are not accessible. Note that because the `/debug/trace` request has been renamed and is now protected by a token, this is technically a breaking change (although `/debug/trace` isn't intended for regular operation and wasn't documented outside of the source code).
honeycombio · Sep 6, 2022 · 47ff62a · 47ff62a
1 parent 8442d86
commit 47ff62a
Show file tree

Hide file tree

Showing 9 changed files with 179 additions and 196 deletions.
diff --git a/README.md b/README.md
@@ -139,17 +139,18 @@ The default logging level of `warn` is almost entirely silent. The `debug` level
 
 ### Configuration
 
-Because the normal configuration file formats (TOML and YAML) can sometimes be confusing to read and write, it may be valuable to check the loaded configuration by using one of the debug endpoints from the command line:
+Because the normal configuration file formats (TOML and YAML) can sometimes be confusing to read and write, it may be valuable to check the loaded configuration by using one of the `/query` endpoints from the command line on a server that can access a refinery host.
 
-`curl --include --get $REFINERY_HOST/debug/allrules/$FORMAT` will retrieve the entire rules configuration.
+The `/query` endpoints are protected and can be enabled by specifying `QueryAuthToken` in the configuration file or specifying `REFINERY_QUERY_AUTH_TOKEN` in the environment. All requests to any `/query` endpoint must include the header `X-Honeycomb-Refinery-Query` set to the value of the specified token.
 
-`curl --include --get $REFINERY_HOST/debug/rules/$FORMAT/$DATASET` will retrieve the rule set that refinery will use for the specified dataset. It comes back as a map of the sampler type to its rule set.
+`curl --include --get $REFINERY_HOST/query/allrules/$FORMAT --header "x-honeycomb-refinery-query: my-local-token"` will retrieve the entire rules configuration.
+
+`curl --include --get $REFINERY_HOST/query/rules/$FORMAT/$DATASET --header "x-honeycomb-refinery-query: my-local-token"` will retrieve the rule set that refinery will use for the specified dataset. It comes back as a map of the sampler type to its rule set.
 
 - `$REFINERY_HOST` should be the url of your refinery.
 - `$FORMAT` can be one of `json`, `yaml`, or `toml`.
 - `$DATASET` is the name of the dataset you want to check.
 
-
 ## Restarts
 
 Refinery does not yet buffer traces or sampling decisions to disk. When you restart the process all in-flight traces will be flushed (sent upstream to Honeycomb), but you will lose the record of past trace decisions. When started back up, it will start with a clean slate.

diff --git a/config/config.go b/config/config.go
@@ -144,4 +144,7 @@ type Config interface {
 	GetEnvironmentCacheTTL() time.Duration
 
 	GetDatasetPrefix() string
+
+	// GetQueryAuthToken returns the token that must be used to access the /query endpoints
+	GetQueryAuthToken() string
 }